Standards provide the basis for demonstrating compliance with laws, policies, and regulatory guidelines.
Synopsys DevSecOps tools and services can help organizations comply with laws, regulatory guidance, policies, and standards related to application security (AppSec), software quality, data protection, and privacy. Avoid exploits by finding and fixing weaknesses and vulnerabilities using DevSecOps tools that provide detailed reports listing the specific rules and categories of each standard that the tools address.
To help raise the bar for software security and stay informed about the latest security issues, Synopsys employees serve or have served as subject matter experts for the committees, boards, working groups, programs, and projects related to AppSec standards, policies, and regulatory guidelines listed below.
The Japan Automotive Software Platform and Architecture (JASPAR) enables the standardization of electronic control systems and software for in-vehicle networks, thereby allowing industrywide common implementation, more efficient development, and increased reliability. Topics include E/E cyber security.
The JASPAR cyber security technical working group works to define and validate the requirements of automotive cyber security technologies based on use cases, including projects like the “A-CST-07-0003 Fuzzing Test Guide.”
The Japan Network Security Association (JNSA) is a nonprofit organization that promotes network security standardization. JNSA is comprised of working groups including the Survey and Research Committee IoT security working group, which undertakes survey activities and research on information security issues.
The Ministry of Economy, Trade, and Industry (METI) helps develop the Japanese economy and industry by promoting economic vitality in private companies and advancing external economic relationships. METI also secures a stable and efficient supply of energy and mineral resources.
METI ensures security in the new supply chains (value creation processes) under the national Society 5.0 policy by integrating cyber space and physical space, as well as the national Connected Industries policy for adding new value by connecting a variety of goods, industries, and people. METI develops the Cyber-Physical Security Framework (CPSF), an overview of required security measures.
The METI WG 1 for systems, technologies, and standardization cross-disciplinary subworking group under the industrial cyber security study group holds discussions on cyber-physical security measures to achieve security in the new supply chains under the Society 5.0 and Connected Industries policies. The Task Force for Examining Software Management Methods for Ensuring Cyber-Physical Security discusses SBOM to identify problems and bring them to the foreground, especially vulnerability in the supply chain.
The Motor Industry Software Reliability Association (MISRA) is a collaboration between vehicle manufacturers, component suppliers, and engineering consultancies that seek to promote best practices for developing safety-related electronic systems in road vehicles and aircraft.
MISRA works closely with ISO/IEC JTC 1/SC 22/WG 14, the ISO C standards committee working group, and ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee working group.
MISRA and AUTOSAR announced that their industry standard for best practice in C++ will be integrated into one publication.
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a nonregulatory agency of the U.S. Department of Commerce that promotes innovation and industrial competitiveness.
U.S. policies are created when the Office of Management and Budget (OMB) takes executive orders and turns them into mandates or policies that point to the NIST special publications (SPs), including the NIST SP 800 series for the computer security community such as NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations, which provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations.
The NIST Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Part of the NIST SCAP uses the CVE, CWE and CAPEC lists.
The National Telecommunications and Information Administration (NTIA), located within the U.S. Department of Commerce, is the executive branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues.
Stakeholders in NTIA software component transparency working groups collaborate in an open and transparent process to address transparency around software components and advocate for software transparency throughout the supply chain, including SBOM standards. An SBOM is a list of all the open-source and third-party components present in a codebase, the licenses that govern those components, the versions of the components used in the codebase, and their patch status.
The Organization for the Advancement of Structured Information Standards (OASIS) aims to set the standard for open collaboration. OASIS Open is where individuals, organizations, and governments come together to solve technical challenges through the development of open code and open standards.
The Static Analysis Results Interchange Format (SARIF) is an industry standard format for the output of static analysis tools. SARIF is an approved OASIS standard. It enables organizations in the safety and security communities to combine and compare the results from multiple competing tools more easily for a more accurate picture of their code issues.
OASIS SARIF technical committee members develop the SARIF interoperability standard for detecting software defects and vulnerabilities. The goal is to define a common output format for static analysis tools that will make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all their tools.
SAE International (previously known as the Society for Automotive Engineers) is a global association of engineers and related technical experts that develops and publishes international standards for global transport industries such as aerospace, automotive, and commercial vehicles.
G-32 cyber-physical systems security committee
The G-32 cyber-physical systems security committee develops documents that address CPSS intended for multisector, cross-industry use to address weaknesses and vulnerabilities of the system and system elements including software, firmware, and hardware. Cross-industry/sector active participation in the committee includes members from industries like aerospace, automotive, defense, medical devices, industrial control devices, IoT, and banking and finance, as well as government and academia.
Vehicle cyber security systems engineering committee
The vehicle cyber security systems engineering committee WG TEVEES18A serving as the U.S. TAG to ISO, codevelops the Cyber Security Guidebook for Cyber-Physical Vehicle Systems (J3061). The ISO/SAE 21434 cyber security engineering standard for road vehicles builds upon SAE J3061 and provides a similar framework for the entire life cycle of road vehicles.
Data Link Connector vehicle security committee
The Data Link Connector vehicle security committee WG TEVDS20 develops:
The Singapore Manufacturing Federation Standards Development Organisation (SMF-SDO) administers the development, promotion, and implementation of standards to meet the needs of industry and regulators. SMF-SDO is guided by the industry-led Singapore Standards Council, which provides advice on the directions, policies, strategies, and priorities for the Singapore Standardisation Programme, managed by Enterprise Singapore, the national standards body.
The manufacturing standards committee (MSC) identifies, develops, and promotes critical standards to support the growth of the manufacturing and general engineering sectors in Singapore. The MSC autonomous vehicle technical committee (AVTC) oversees the preparation of a new standard and includes the cyber security guidelines working group (WG3) that develops “Technical Reference 68 for Autonomous Vehicles – Part 3 (TR 68 – 3): Cyber Security Principles and Assessment Framework” to promote the safe and secure deployment of fully autonomous vehicles in Singapore.